Inquiry on "Acceptable" CA criteria, after remove of non-discrimination clause
512 views
Skip to first unread message
Ivan
Aug 1, 2025, 12:17:32 PMAug 1
to dev-secur...@mozilla.org
Hello,
I am writing to seek clarification on the interpretation of the Mozilla Root Store Policy.
In reviewing the latest version, I noted that the explicit "Non-discrimination" clause, present in previous versions, has been removed. This change raises a question about the current standards for CA conduct under the policy. Specifically, this relates to Section 2.1, CA Operations which requires CAs to operate under "published criteria that we deem acceptable"
To provide a concrete example, a Mozilla-trusted CA based in Poland recently denied my application for a standard S/MIME certificate. The sole reason provided for this refusal was my Belarusian nationality. This action was taken despite my status as a long-term legal resident of the Poland.
For clarity, I am not on any sanctions list, and the CA has no legal obligation to deny service on this basis.
Given the absence of the specific non-discrimination clause, my question is: How does Mozilla now assess the "acceptability" of a CA's operational criteria when it results in a categorical denial of service based on nationality, particularly when no legal requirements compel such a decision?
Thank you for your time and clarification.
I am writing to seek clarification on the interpretation of the Mozilla Root Store Policy.
In reviewing the latest version, I noted that the explicit "Non-discrimination" clause, present in previous versions, has been removed. This change raises a question about the current standards for CA conduct under the policy. Specifically, this relates to Section 2.1, CA Operations which requires CAs to operate under "published criteria that we deem acceptable"
To provide a concrete example, a Mozilla-trusted CA based in Poland recently denied my application for a standard S/MIME certificate. The sole reason provided for this refusal was my Belarusian nationality. This action was taken despite my status as a long-term legal resident of the Poland.
For clarity, I am not on any sanctions list, and the CA has no legal obligation to deny service on this basis.
Given the absence of the specific non-discrimination clause, my question is: How does Mozilla now assess the "acceptability" of a CA's operational criteria when it results in a categorical denial of service based on nationality, particularly when no legal requirements compel such a decision?
Thank you for your time and clarification.
Ben Wilson
Aug 1, 2025, 1:05:57 PMAug 1
to Ivan, dev-secur...@mozilla.org
Hi Ivan,
Thank you for your message.
As far as I am aware, the Mozilla Root Store Policy (MRSP) did not previously include an explicit “non-discrimination” clause, so nothing has been removed in that regard. However, item 6 in section 2.1 of the MRSP continues to require that CAs operate according to published criteria that we deem acceptable.
While we don’t directly control the actions of CAs, we do evaluate their practices to ensure they align with Mozilla’s values and expectations for fairness and trustworthiness. If you're willing to share the name of the CA and any relevant correspondence, we can take a closer look at the circumstances and assess whether further follow-up is appropriate.
Best regards,
Ben Wilson
Mozilla Root Program
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b744c853-ffcf-4b2d-9914-3386f51e8fb5n%40mozilla.org.
Ivan
Aug 1, 2025, 1:41:55 PMAug 1
to dev-secur...@mozilla.org, Ben Wilson, dev-secur...@mozilla.org, Ivan
Hi Ben,
Thanks for you response.
My mistake, that was a proposal to add such a clause, not to remove one.
The CA is certum.pl (by Asseco). The original correspondence from 2023 contained a lot of my personal data to prove that I am a resident of Poland and ended with this:
> After analyzing the received documents and in accordance with our information on the CERTUM website about the suspension of issuing qualified and unqualified certificates for companies, organizations and citizens from the Russian Federation and the Republic of Belarus, we cannot process your order for a Certum S/MIME Individual certificate.
> The submitted residence card entitles you to access to the labor market; if you are employed in a Polish company, we can offer you a Certum S/MIME Sponsor certificate.
> Please read our offer and required documents for Certum S/Mime Sponsor.
This email was signed by subject=C=PL, ST=pomorskie, L=Gdańsk, O=Asseco Data Systems S.A., CN=Registration Authority, emailAddress=c...@certum.pl
issuer=C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Digital Identification CA SHA2
A month ago, I contacted them again to ask if their policy had changed, but they just responded that they do not issue code signing, S/MIME or SSL certificates for citizens of Russia and Belarus (most probably referring to this: https://www.certum.eu/en/news/change-in-the-rules-of-providing-trust-services-and-their-sale-on-the-territory-of-the-russian-federation-and-the-republic-of-belarus/)
Thanks for you response.
My mistake, that was a proposal to add such a clause, not to remove one.
The CA is certum.pl (by Asseco). The original correspondence from 2023 contained a lot of my personal data to prove that I am a resident of Poland and ended with this:
> After analyzing the received documents and in accordance with our information on the CERTUM website about the suspension of issuing qualified and unqualified certificates for companies, organizations and citizens from the Russian Federation and the Republic of Belarus, we cannot process your order for a Certum S/MIME Individual certificate.
> The submitted residence card entitles you to access to the labor market; if you are employed in a Polish company, we can offer you a Certum S/MIME Sponsor certificate.
> Please read our offer and required documents for Certum S/Mime Sponsor.
This email was signed by subject=C=PL, ST=pomorskie, L=Gdańsk, O=Asseco Data Systems S.A., CN=Registration Authority, emailAddress=c...@certum.pl
issuer=C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Digital Identification CA SHA2
A month ago, I contacted them again to ask if their policy had changed, but they just responded that they do not issue code signing, S/MIME or SSL certificates for citizens of Russia and Belarus (most probably referring to this: https://www.certum.eu/en/news/change-in-the-rules-of-providing-trust-services-and-their-sale-on-the-territory-of-the-russian-federation-and-the-republic-of-belarus/)
Thanks,
Ivan
Ivan Buiko
Aug 8, 2025, 12:56:41 PMAug 8
to dev-secur...@mozilla.org, Ben Wilson
Just realized that I’ve sent a previous message using a Google Groups web form, and it’s most probably been filtered by everyone’s spam filters.
Reply all
Reply to author
Forward
0 new messages